From e56c756223b10d56c16c818a99ae694493e73f37 Mon Sep 17 00:00:00 2001 From: emily Date: Thu, 12 Sep 2024 00:15:52 +0200 Subject: [PATCH] ooklaserver: Cleanup --- modules/ooklaserver/default.nix | 46 ++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/modules/ooklaserver/default.nix b/modules/ooklaserver/default.nix index 6232541..c91bfec 100644 --- a/modules/ooklaserver/default.nix +++ b/modules/ooklaserver/default.nix @@ -3,13 +3,15 @@ let cfg = config.kyouma.ooklaserver; in { options = { - kyouma.ooklaserver = with lib; { - enable = mkEnableOption "ookla speedtest server"; - package = mkPackageOption pkgs "ooklaserver" {}; + kyouma.ooklaserver = let + inherit (lib) mkOption types; + in { + enable = lib.mkEnableOption "ookla speedtest server"; + package = lib.mkPackageOption pkgs "ooklaserver" {}; domain = mkOption { description = "Domain to use."; default = null; - type = types.str; + type = with types; nullOr nonEmptyStr; }; openFirewall = mkOption { description = "Whether to open the firewall for the specified ports."; @@ -51,20 +53,19 @@ in { }; }; config = lib.mkIf cfg.enable { - users.users.ooklaserver = { - description = "OoklaServer User"; - group = "ooklaserver"; - createHome = false; - isSystemUser = true; - }; - users.groups.ooklaserver = {}; security.acme.certs.${cfg.domain} = { - group = "ooklaserver"; reloadServices = [ "ooklaserver.service" ]; webroot = "/var/lib/acme/acme-challenge"; }; - kyouma.ooklaserver.settings = with lib; { + networking.firewall = lib.mkIf cfg.openFirewall { + allowedUDPPorts = cfg.udpPorts; + allowedTCPPorts = cfg.tcpPorts; + }; + + kyouma.ooklaserver.settings = let + inherit (lib) mkDefault; + in { OoklaServer = { inherit (cfg) tcpPorts udpPorts; enableAutoUpdate = false; @@ -89,8 +90,8 @@ in { http.maxHeadersSize = mkDefault 65536; }; openSSL.server = { - certificateFile = "${config.security.acme.certs.${cfg.domain}.directory}/cert.pem"; - privateKeyFile = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem"; + certificateFile = "/run/credentials/${config.systemd.services.ooklaserver.name}/cert.pem"; + privateKeyFile = "/run/credentials/${config.systemd.services.ooklaserver.name}/key.pem"; minimumTLSProtocol = mkDefault "1.2"; }; logging.loggers.app = { @@ -102,10 +103,7 @@ in { level = mkDefault "information"; }; }; - networking.firewall = lib.mkIf cfg.openFirewall { - allowedUDPPorts = cfg.udpPorts; - allowedTCPPorts = cfg.tcpPorts; - }; + systemd.services.ooklaserver = let configFile = let anyToString = arg: if (lib.isBool arg) then @@ -113,8 +111,8 @@ in { else if (lib.isList arg) then lib.concatStringsSep "," (map (val: toString val) arg) else toString arg; - - in with lib; lib.pipe cfg.settings [ + in + with lib; lib.pipe cfg.settings [ (mapAttrsRecursive (path: val: "${concatStringsSep "." path} = ${anyToString val}")) (collect isString) (concatLines) @@ -132,9 +130,15 @@ in { serviceConfig = { Type = "simple"; Restart = "always"; + User = "ooklaserver"; Group = "ooklaserver"; + DynamicUser = true; + LoadCredential = [ + "cert.pem:${config.security.acme.certs.${cfg.domain}.directory}/cert.pem" + "key.pem:${config.security.acme.certs.${cfg.domain}.directory}/key.pem" + ]; ExecStart = "${packageWithCfg}/bin/OoklaServer"; WorkingDirectory = packageWithCfg; SyslogIdentifier = "ooklaserver";